Privacy Statement on the Processing of Personal Data

Last updated: 2025-09-10

1. Who we are

This Privacy Statement explains how EDDA Luxembourg S.A. (“EDDA”, “we”, “us” or “our”) processes personal data in the context of its activities as an IT consulting business providing resources to clients.

Joint controllers
For most of our activities, personal data is processed under the joint responsibility of:

• EDDA Luxembourg S.A., 3, rue de l’Industrie, L-8399 Windhof, Luxembourg

• EDDA International S.A., 3, rue de l’Industrie, L-8399 Windhof, Luxembourg

• EDDA International Belgium SRL, Boulevard du Souverain 25, B-1170 Watermael-Boitsfort, Belgium

(collectively referred to as the “EDDA Group”, where appropriate).

If you have any questions about this Privacy Statement or about how we process personal data, you can contact us at:

• General privacy contact: dpo@edda.lu

We have appointed a Data Protection Officer (DPO) who can be contacted at the same email address.

The EDDA Group entities act as joint controllers. They have agreed between themselves how responsibilities under the GDPR are allocated, in particular with respect to providing information to data subjects and responding to data subject rights requests.
EDDA Luxembourg S.A. acts as the main contact point for data subjects (dpo@edda.lu), but you may exercise your rights against any EDDA Group entity.

2. To whom this notice applies

This Privacy Statement applies to the processing of personal data of:

• Website visitors

• Existing and prospective clients (leads)

• Partners and business contacts

• Job applicants

• Suppliers and service providers and their representatives

• Employees

3. What personal data we process

Depending on your relationship with us and how you interact with us, we may process the following categories of personal data:

• Identity data
  e.g. name, title, employer, role/function, identification numbers where required by law.

• Contact data
  e.g. business and/or private address, email address, phone number.

• Contract and client data
  e.g. information required for client onboarding, the services we provide, communication history, contractual documentation.

• Financial and billing data
  e.g. bank account details, invoicing details, payment information and related records.

• HR and recruitment data (for employees and applicants)
  e.g. CV and application information, qualifications, employment history, performance and job-related data, payroll and benefits data, work contact details.

• Technical and usage data
  e.g. IP address, browser type, device identifiers, access logs and other information necessary to manage and secure our IT systems and to improve our website and services.

• Marketing and communication data
  e.g. your preferences regarding receiving newsletters, event invitations and other marketing communications, and your interactions with such communications.

We do not intentionally process special categories of personal data (such as health data, biometric data, or data revealing political opinions, religious beliefs, or trade union membership) in the normal course of our business, and we do not target our services to children.

4. How we obtain personal data

We collect personal data mainly through:

• Direct exchanges with you, for example:

  • when you contact us by email or other channels

  • when we have meetings or calls

  • when you submit a job application or provide us with your CV

  • when you are employed by us

• Clients and business partners, in the context of our business relationships:

  • for example, when our client provides us with contact details of their staff or representatives involved in a project.

• Employment relationship:

  • information created and processed in the context of your employment with us.

• Website and online interactions:

  • information collected through your use of our website and online tools, as described in our website privacy policy:
    https://www.edda.lu/privacy-policy/

• Publicly available sources:
  • for example, professional social networks (such as LinkedIn), company websites and public registries, where this is appropriate for recruitment or business development purposes.
• Recruitment partners and job platforms:
  • where recruitment agencies, job portals or similar intermediaries provide us with candidate information in accordance with their own privacy notices.

We do not rely on extensive external data sources; our main sources are email exchanges, direct interactions, and information provided by clients, partners, and employees in the context of our business relationships.

In situations where we collect personal data directly from you, some of this information may be necessary to enter into or perform a contract with you (for example, to onboard you as a client or to employ you) or to comply with legal obligations (for example, tax, social security or anti-money-laundering rules). If you do not provide such information when requested, we may not be able to enter into or continue the relevant relationship or provide certain services.

5. For what purposes and on which legal bases we process personal data

We process personal data only where a legal basis under the General Data Protection Regulation (GDPR) applies. In particular:

5.1 Client onboarding, contract performance and business operations

We process personal data to:

• assess and onboard clients

• perform and manage client contracts

• coordinate projects and resources for clients

• manage relationships with clients, partners and suppliers

Legal basis:

• Performance of a contract or taking steps at your request before entering into a contract (Art. 6(1)(b) GDPR).

• Legitimate interests in managing our business relationships and operations where we contract with legal persons (Art. 6(1)(f) GDPR).

5.2 Invoicing, accounting and finance

We process personal data to:

• issue and manage invoices

• process payments and manage accounts

• comply with tax and accounting rules

Legal basis:

• Compliance with legal obligations (e.g. accounting and tax laws) (Art. 6(1)(c) GDPR).

• Performance of a contract (Art. 6(1)(b) GDPR), where relevant.

5.3 HR and payroll for employees

We process personal data to:

• manage employment relationships

• administer payroll, benefits and HR processes

• manage work schedules and performance

Legal basis:

• Performance of the employment contract (Art. 6(1)(b) GDPR).

• Compliance with employment, social security and tax laws (Art. 6(1)(c) GDPR).

• Our legitimate interests in managing our workforce and ensuring effective operations (Art. 6(1)(f) GDPR).

5.4 Recruitment and job applications

We process personal data to:

• review and evaluate job applications

• contact candidates and manage recruitment processes

• build a limited pool of potential candidates, where appropriate and permissible

Legal basis:

• Taking steps at your request before entering into a contract (Art. 6(1)(b) GDPR).

• Our legitimate interests in recruiting staff (Art. 6(1)(f) GDPR).

• Where required, consent (Art. 6(1)(a) GDPR), e.g. for keeping your application on file for a longer period.

5.5 Marketing, newsletters and events

We may process personal data to:

• send newsletters, updates and invitations to events

• manage mailing lists and event participation

• follow up on leads and prospective clients

Legal basis:

• Our legitimate interests in promoting our services and maintaining relationships with existing or prospective clients and partners (Art. 6(1)(f) GDPR), within the boundaries of applicable marketing laws.

• Where required (e.g. certain electronic marketing), we rely on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

5.6 Website analytics and improvement

We process technical and usage data to:

• operate and secure our website and IT systems

• understand how our website is used and improve its content and functionality

Legal basis:

• Our legitimate interests in ensuring IT security and improving our services (Art. 6(1)(f) GDPR).

• Where analytics or similar technologies require prior consent under e-privacy rules, we rely on your consent.

5.7 IT systems management and security

We process personal data (including access logs and technical identifiers) to:

• manage and protect our IT infrastructure

• detect and prevent security incidents, misuse and fraud

• ensure continuity of our services

Legal basis:

• Our legitimate interests in ensuring the security and proper functioning of our systems and services (Art. 6(1)(f) GDPR).

6. Who we share personal data with

We share personal data only on a need-to-know basis and where it is lawful to do so. In particular, we may share personal data with:

• Cloud and IT service providers
  providing hosting, storage, email or other IT and business applications we use.

• Professional advisors and auditors
  such as accountants, auditors or lawyers, where needed for business, legal or compliance purposes.

• Banks and payment service providers
  where necessary to process payments and manage our finances.

• Public authorities and regulators
  where required by law or to comply with legal or regulatory obligations.

Within the EDDA Group, personal data may be shared between EDDA Luxembourg S.A., EDDA International S.A. and EDDA International Belgium SRL where needed for internal administration, reporting, or to deliver services to clients.

All such recipients are required to protect personal data appropriately and to process it in accordance with applicable data protection laws and our instructions where they act as processors.

7. International data transfers

At the time of this Privacy Statement, we do not transfer personal data outside the European Economic Area (EEA).

If in the future we need to transfer personal data to a country outside the EEA, we will ensure that appropriate safeguards are in place (such as an adequacy decision or Standard Contractual Clauses) and update this Privacy Statement accordingly.

8. How long we keep personal data

We retain personal data only for as long as necessary to fulfil the purposes described above or to comply with legal, regulatory or contractual requirements.

As a general rule:

• Client data
  Retained for the duration of the client relationship plus 10 years for legal and regulatory purposes.

• Employee data
  Retained for the duration of employment plus 10 years for legal, regulatory and contractual purposes.

• Financial records
  Retained for 10 years from the end of the fiscal year to which they relate, as required by tax and accounting regulations.

• Marketing data
  Retained for 10 years from the last interaction with the data subject, unless consent is withdrawn earlier, or a longer period is necessary for specific, clearly defined marketing campaigns.

Retention periods may vary based on the nature and sensitivity of the personal data and applicable legal or regulatory requirements. More detailed retention rules can be set out in our internal Data Retention Schedule.

After the relevant retention period has expired, we will delete or anonymise personal data in a secure manner.

9. Cookies and website privacy

Our website may use cookies and similar technologies to operate the site, to understand how it is used and, where applicable, for analytics or marketing purposes.

Details about the cookies and tracking technologies used on our website, as well as your choices and controls, are described in the website privacy policy available at:

https://www.edda.lu/privacy-policy/

Where required by law, we will ask for your consent before placing non-essential cookies on your device.

10. Your data protection rights

Under applicable data protection law, you have the following rights in relation to your personal data, subject to conditions and limitations set out in the GDPR:

• Right of access
  to obtain confirmation as to whether we process your personal data and to receive a copy of it.

• Right to rectification
  to request correction of inaccurate or incomplete personal data.

• Right to erasure
  to request deletion of your personal data in certain circumstances (the “right to be forgotten”).

• Right to restriction of processing
  to request that we restrict processing of your personal data in certain cases.

• Right to data portability
  to receive personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where technically feasible.

• Right to object
  to object, on grounds relating to your particular situation, to processing based on our legitimate interests; and to object at any time to processing for direct marketing.

• Rights related to automated decision-making
  We do not carry out decision-making based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

To exercise your rights, please contact us at:

• Rights and privacy requests: dpo@edda.eu

You may also use this address if you have any questions or concerns about how we process your personal data. We may ask you for additional information to verify your identity before responding to your request.

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

11. Right to lodge a complaint

If you believe that we have not processed your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.

In Luxembourg, the supervisory authority is the Commission nationale pour la protection des données (CNPD).

We would, however, appreciate the opportunity to address your concerns first, so we encourage you to contact us at dpo@edda.lu or dpo@edda.eu before contacting a supervisory authority.

12. Security of your personal data

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, as appropriate:

• access and authentication controls

• secure networks and systems

• regular backups and monitoring

• staff confidentiality obligations and training on data protection

13. Changes to this Privacy Statement

We may update this Privacy Statement from time to time, for example to reflect changes in our processing activities or legal obligations. The latest version will always be available on our website.

The version and date of this Privacy Statement are indicated at the top of the document and in the version history available on our website.